Usherfly

Sub-Processor List

Last updated: June 14, 2026. Customers notified at least 30 days before changes take effect.

Active Sub-Processors

Sub-ProcessorCategoryProcessing PurposeData TypesRegion / Safeguard
Amazon Web Services (AWS)  DPACloud infrastructureHosting, storage, computeAll user and organization dataeu-central-1 (Frankfurt, EU) — GDPR-adequate
Paddle Billing  DPAPayment / Merchant of RecordSubscription billing, payment processing, refund managementBilling address, subscription state (card data never enters Usherfly systems)Paddle's own infrastructure — MoR via Estonian OÜ entity
Transactional email providerEmail deliveryOnboarding notifications, system emails, account alertsEmail address, name, notification contentProvider selection within GL-5 scope; DPA link to be added upon selection
PostHog  DPAProduct analyticsUsage pattern analysis, feature adoption tracking, consent-gated session replayPseudonymous event data (no IP capture), masked session recordingsEU data region (eu.i.posthog.com) — GDPR-adequate
Sentry  DPAError trackingTechnical error monitoring, performance trackingError stack traces, platform context (personal data minimized)EU data region — GDPR-adequate
Anthropic (Claude)  DPAAIAI onboarding flow generationAdmin-provided flow description, role, and context text (admins are instructed not to include onboardee personal data in these fields; the description and context are sent transiently and not stored persistently by Usherfly, while the optional role may be retained in flow-generation audit logs)United States — transferred under Standard Contractual Clauses (SCCs) via the Anthropic Commercial Terms (execution confirmation pending)
OpenAI  DPAAIAI onboarding flow generationAdmin-provided flow description, role, and context text (admins are instructed not to include onboardee personal data in these fields; the description and context are sent transiently and not stored persistently by Usherfly, while the optional role may be retained in flow-generation audit logs)United States — transferred under Standard Contractual Clauses (SCCs) via the OpenAI DPA (execution confirmation pending)
Google (OAuth / Workspace)  DPAAuthenticationAuthentication / sign-in identityName, email, Google account idUnited States — transferred under Standard Contractual Clauses (SCCs) via the Google Cloud DPA; consent at sign-in (Google OAuth)
SMS providers (Twilio, İletimerkezi)SMS deliveryDelivery of transactional onboarding messages and opt-in marketing messages by SMSPhone number, message contentRegion / transfer mechanism to be finalized before go-live — a GDPR-adequate safeguard will be in place; DPA link to be added on go-live
WhatsApp provider (planned)WhatsApp messagingDelivery of transactional onboarding messages and opt-in marketing messages over WhatsAppPhone number, message contentProvider selection to be finalized before go-live — a GDPR-adequate safeguard will be in place; DPA link to be added upon selection

Questions: legal@usherfly.io

Security disclosure: If you have found a security vulnerability, please report it to security@usherfly.io. We review reports and respond in line with responsible-disclosure principles.

Data Processing Agreement